© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
"Know your enemy and know yourself, and you will win a hundred battles."  - Sun Tzu from Art of War The   man   and   his   work   are   legend,   and   for   good   reason.      Inspired   by   the   sage,   I've   explored   this   concept   and   applied his   theories   at   some   of   today's   largest   companies.      And   if   you've   heard   me   or   read   anything   I've   written   in   the   last   few years,   you'll   recognize   the   following   interrogatory   statement   which   is   the   above   stratagem   in   modern   cyber-security parlance:      Do   you   know   how,   with   what   resources,   and   where   you   will   direct   your   incident   response   team   when   an active attack has been detected against your organization?  Short   shrift   is   being   paid   to   the   basic   task   of   understanding   one's   own   attack   mitigation   and   response   capabilities.      We all   finally   agree   that   it's   a   matter   of   when   and   not   if   we   are   going   to   experience   a   breach.      So,   even   if   we   know   our threat   horizon   well,   no   security   technology,   architecture,   practice   or   policy,   at   least   today   and   within   my   lifetime,   will ever   be   fully   resistant   to   cyber-attacks.      Knowing   this,   isn't   it   paramount   to   fully   understand   exactly   what   your organization should be doing when under active attack? What   I   believe   is   commonly   missing   from   IR   planning   is   a   way   to   provide   tactical   guidance   once   an   attack   is   underway on   who   should   be   responding,   what   activities   should   be   prioritized,   what   tools   should   be   used,   and   most   importantly, what    specific    defensive    capabilities    are    going    to    be    most    effective    against    the    specific    type    of    attack    being experienced.      Fighting   a   cyber-attack   without   knowing   your   own   response   capabilities   is   comparable   to   sending   a field   general   out   to   command   an   army   without   telling   the   commander   what   weapons   his   troops   have   and   how   well they   can   use   those   weapons,   nor   any   knowledge   of   the   enemies'   weapons   the   troops   will   face   in   battle.      The   corollary to   this   is   the   fact   that   many   activities   carried   out   in   a   standard,   well-constructed   IR   plan   may   have   little   or   no   effect   on stopping   the   attack   and   all   the   associated   damage   because   we   cannot   provide   specific,   appropriate   responses   a priori for a future attack. Putting   aside   the   "catch   phrase   of   the   month"   connotation,   the   best   method   I   know   for   IR   capabilities   assessment   uses a   form   of   the   Cyber   Kill   Chain.      As   with   most   catch   phrases,   such   as   the   acronym   APT   which   serves   as   a   perfect example   of   a   massively   misused   term,   the   usefulness   of   the   concept   of   the   Cyber   Kill   Chain   has   been   quickly obscured   by   marketing   hype.      In   essence,   the   Cyber   Kill   Chain   is   an   adaption   of   a   military   concept   made   applicable   to cyber-defense   and   can   be   used   to   assess,   in   detail,   what   you   can   actually   do   to   fight   back   when   under   attack.      Here are some key concepts that underlie the Cyber Kill Chain:   Cyber Kill Chain Response Capabilities Metrics - The areas to be assessed for strengths and weaknesses o Detect o Deny o Disrupt o Degrade o Deceive o Destroy Cyber   Kill   Chain   Response   Capabilities   Framework   -   The   attack   methodologies   we   measure   our   strengths   and weakness against o Reconnaissance o Weaponization o Delivery o Exploitation o Installation o Command and Control o Action on Objectives   From   a   defensive   perspective,   the   sequence   of   both   lists   are   ordered   as   these   capabilities   are   applied   either   by   an attacker   or   by   the   defender,   i.e.   Detection   has   to   occur   first,   then   denial   is   our   second   defensive   response   capability.     But   you   might   be   unable   to   deny   an   attack;   for   example,   denial   alone   is   virtually   impossible   with   a   targeted   malware attack   that   uses   a   network   attached   storage   array   such   as   the   ones   commonly   used   to   house   enterprise   user's   home directories   for   attack   amplification   and   instantaneous   re-infection   of   cleaned   systems.      In   that   case,   disruption   may   be necessary,   but   that   capability   is   commonly   the   most   expensive   in   terms   of   systems   downtime.      If   you   cannot   bear   an outage   which   is   the   most   common   disruption   technique,   i.e.   the   cost   of   an   outage   exceeds   the   expected   losses   from the attack itself, you then must apply degradation and possibly deception techniques to stem the attack.    Unless   you   fully   understand   your   capabilities   in   defending   against   the   active   portion   of   the   attack   methodology   you're currently   experiencing,   you   are   most   likely   spinning   in   place   as   the   situation   is   steadily   worsening   despite   throwing   all you've   got   at   the   problem.      I   believe   a   Cyber   Kill   Chain   or   similar   IR   capabilities   assessment   will   need   to   become   as essential   to   a   robust   information   security   program,   as   have   been   the   "standard"   risk   assessment,   gap   analysis   and penetration testing practices if organizations hope to survive the inevitable and come out the other side intact.   I'd   like   to   close   with   another   nugget   of   2,500   year   old   wisdom   from   Sun   Tzu   with   the   reminder   that   without   planning for the inevitable, you are almost assured to conduct your response like the last sentence in this parable:   "Should   the   enemy   strengthen   his   van,   he   will   weaken   his   rear;   should   he   strengthen   his   rear,   he   will   weaken   his   van; should   he   strengthen   his   left,   he   will   weaken   his   right;   should   he   strengthen   his   right,   he   will   weaken   his   left.      If   he sends reinforcements everywhere, he will everywhere be weak."
How Will You Respond when You're Under a Cyber Atack?   9/24/2015 By Fred Langston CISSP CCSK EVP, Professional Services
Image courtesy of personalexcellence.co
Threat Intelligence Blog CRITICAL INFORMATICS INC.
(206) 687-9100
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100